Hybrid encryption

Important feature

Essential feature about hybrid encryption is that symmetric key is created over and over for every new conversation or every new data exchange, e.g. every new session. Session key is a one-time randomly generated set of numbers which is used to transform plain text into cypher. Every time for any intention to communicate with others crypto system creates a new symmetric key (generates a set of random numbers). The power of random numbers is that its consequence cannot be guesses, repeated or predicted by a hacker. This approach ensures forward security of communication is case of leaks of symmetric keys from previous sessions or contacts.

How it works

Basically, all data which is going to be transferred is encrypted with a symmetric key and symmetric key itself is encrypted using asymmetric encryption. Both encrypted piece of data and encrypted key are delivered to recipient. Encryption keys are managed differently depending on how communication is going either in real-time (like chat, voice call, secure internet browsing etc.) or some information sent to the future and which will be read some day by a recipient (e.g. email, reports, sensitive documents etc.).

Example 1: hybrid encryption in real-time communication

1.Users exchange with their public keys. Essentially, initiator of communication request should get a public key of request acceptor.

5.Now both sides communicate using same session key. Communication stream is encrypted with strong symmetric encryption algorithm and only users who have matching one-time generated key can decrypt the flow. Interception of encrypted data is useless because bits of data will make only mess and no sense.

Case when encrypted data is sent now and will be read by a recipient some day in the future requires management policy which is different from real-time communication. Examples of this type of hybrid encryption application could be e-mail encryption, PGP encryption, sending sensitive documents etc.

Example 2: encrypted data is sent to the future

1.Users exchange with public keys

2.Sender writes a message (creates a document)

3.Sender generates a random one-time session key and encrypts the message with the session key

4.Sender encrypts the asymetric (session) key with recipient’s public key which was obtained on step 1.

5.Sender sends both encrypted message and encrypted key to recipient.

6. Such secured data package may stay untouched for some time until recipient initiates decryption process. To do it recipient should have valid private key which matches the case. First, recipient unlocks the case using private key and releases the session key. Then session key is used to decrypt the message, e-mail or file.

Variations of hybrid encryption

Some schemes may use a few symmetric keys which are used randomly to encrypt different fragments of data. Also there may be some variations where strong symmetric encryption is followed by a few rounds of asymmetric data encryption which were used to deliver session key in super-secure environment. Of course, the more complex encryption scheme is the more computational resources are required to process it. Complex hybrid encryption algorithms may not work properly on slow hardware.

All these actions are taken with only one purpose – make encryption as strong as possible, so that it would be impossible to break it within any reasonable terms.